Cybersecurity researchers are turning their attention to a sophisticated new tool called GoIssue that can be used to send large-scale phishing emails targeting GitHub users.
A program first marketed by a threat actor named Cyberdluffy (aka Cyber D’ Luffy) on Runion Forum earlier this August touted as a tool that allows criminals to extract email addresses from public GitHub profiles and send mass emails directly to users’ mailboxes.
“Whether you’re looking to reach a specific audience or expand your reach, GoIssue offers the precision and power you need,” the threat actor claimed in his post. “GoIssue can send bulk emails to GitHub users directly to their mailboxes, targeting any recipient.”
SlashNext said the tool marks a “dangerous shift in targeted phishing” that can act as a gateway to source code theft, supply chain attacks and corporate network breaches through compromised developer credentials.
“Armed with this information, attackers can launch customized mass email campaigns designed to bypass spam filters and target specific developer communities,” the company said in a statement. said.
A special GoIssue build is available for $700. Additionally, buyers can get full access to the source code for $3,000. As of October 11, 2024, the prices have been reduced to $150 and $1000 for a custom build and full source code for the “first 5 customers”.
In a hypothetical attack scenario, a threat actor could use this method to redirect victims to fake pages that aim to capture their login credentials, download malware, or authorize a fake OAuth application that requests access to their private storage and data.
Another aspect of Cyberdluffy to look out for is their Telegram profile, where they claim to be “members of the Gitloker team”. There was a gitlocker previously attributed to an extortion campaign focused on GitHub, which involved tricking users into clicking on a compromised link while posing as GitHub security and recruitment.
Links are sent in emails that are automatically triggered by GitHub after developer accounts are tagged in spam comments on random open issues or pull requests using already compromised accounts. The scam pages instruct them to log into their GitHub accounts and authorize a new OAuth application to apply for new jobs.
If a careless developer grants all the requested permissions to the OAuth malware, the threat actors proceed to wipe the entire contents of the repository and replace it with a ransom message that urges the victim to contact an individual named Gitloker on Telegram.
“GoIssue’s ability to mass-send these targeted emails allows attackers to scale their campaigns, affecting thousands of developers at once,” SlashNext said. “This increases the risk of successful hacks, data theft and hacked projects.”
This development comes after Perception Point outlined a new two-stage phishing attack that uses Microsoft Visio (.vdsx) and SharePoint files to obtain credentials. The emails are pretending to be business offers and are sent from previously compromised email accounts to bypass authentication.
“Clicking on the provided URL in the body of the email or in the attached .eml file takes the victim to a Microsoft SharePoint page that contains the Visio (.vsdx) file,” the company said. “The SharePoint account used to upload and host .vdsx files is also often compromised.”
There is another clickable link in the Visio file that ultimately takes the victim to a fake Microsoft 365 login page with the ultimate goal of collecting their credentials.
“Two-step phishing attacks using trusted platforms and file formats like SharePoint and Visio are becoming more common,” Perception Point added. “These multi-layered evasion tactics leverage users’ trust in familiar tools evading detection by standard email security platforms.”
